locked
MDT 2013 Update 2 BitLocker Recovery Screen Help! RRS feed

  • Question

  • Using MDT 2013 Update 2 to deploy Windows 10 Enterprise. My Partition settings and error screens are below!

    UEFI mode, Toshiba Z30 model. Deployment works fine until I add BitLocker to the deployment.

    Customsettings.ini

    BDEInstallSuppress=NO
    BDEWaitForEncryption=False
    BDEDriveLetter=S:
    BDEDriveSize=2000
    BDEInstall=TPMKey
    BDERecoveryKey=AD
    BDEKeyLocation=\\ my network share

    After laying down the OS, the first reboot I get a blue recovery screen. 



    Wednesday, May 11, 2016 12:07 PM

Answers

  • Keith I stumbled across this article. I know it is meant for SCCM but should work for MDT right?

    https://blogs.technet.microsoft.com/system_center_configuration_manager_operating_system_deployment_support_blog/2016/03/30/windows-versions-prior-windows-10-build-1511-fail-to-start-after-setup-windows-and-configuration-manager-step-when-pre-provision-bitlocker-is-used-with-windows-pe-10-0-586-0-1511/

    • Marked as answer by Ty Glander Wednesday, May 18, 2016 8:43 PM
    Wednesday, May 18, 2016 7:36 PM
  • Keith I stumbled across this article. I know it is meant for SCCM but should work for MDT right?

    https://blogs.technet.microsoft.com/system_center_configuration_manager_operating_system_deployment_support_blog/2016/03/30/windows-versions-prior-windows-10-build-1511-fail-to-start-after-setup-windows-and-configuration-manager-step-when-pre-provision-bitlocker-is-used-with-windows-pe-10-0-586-0-1511/

    Considering the the relevant facts of your issue: LTSB with ADK 10586 then this is probably the right solution.  You can either set the registry to a 10240 supported bitlocker OR downgrade to ADK 10240.

    Also thanks I was looking for this article to post here :)


    Many questions such as where do I find logs and what logs are interesting are found in: MDT TechNet Forum - FAQ & Getting Started Guide Please take the time to read it. Also if you don't post logs your problem won't be easily solved.




    Wednesday, May 18, 2016 7:48 PM

All replies

  • Have tried w/o BDEDriveSize?

    Many questions such as where do I find logs and what logs are interesting are found in: MDT TechNet Forum - FAQ & Getting Started Guide Please take the time to read it.

    Wednesday, May 11, 2016 5:39 PM
  • Hey Ty.

    What I did was

    customsettings.ini

    BDEInstallSuppress=NO
    BDEWaitForEncryption=False
    BDEDriveLetter=S:
    BDEDriveSize=2000
    BDEInstall=TPM
    BDERecoveryKey=AD
    BDEKeyLocation=C:\IT

    I also disabled the Enable BitLocker (Offline) step in my TS. 

    All is well. Key gets registered in AD and the deployment completes with no problems. 

    The only outstanding issue or concern is once bitlocker is enabled under state restore it takes a long time to encrypt! 

    Any tips on how to speed things up?

    Thank you!

    • Marked as answer by Prince Ali Ababwa Wednesday, May 11, 2016 5:43 PM
    • Unmarked as answer by Ty Glander Wednesday, May 18, 2016 12:12 AM
    Wednesday, May 11, 2016 5:43 PM
  • Other than my earlier suggestion no. Offline is faster

    Many questions such as where do I find logs and what logs are interesting are found in: MDT TechNet Forum - FAQ & Getting Started Guide Please take the time to read it.

    Wednesday, May 11, 2016 6:08 PM
  • Hey Ty,

    I took out the BDEDriveSize=2000 from my customsettings

    I enabled the Bitlocker Offline step on my TS. Upon first reboot, I got the blue screen again. 

    Am I doing something wrong? 

    Wednesday, May 11, 2016 6:29 PM
  • Can you post a link to your logs? There might be some interesting clues there.

    Many questions such as where do I find logs and what logs are interesting are found in: MDT TechNet Forum - FAQ & Getting Started Guide Please take the time to read it.

    Wednesday, May 11, 2016 7:08 PM
  • No problem. Please go here

    https://onedrive.live.com/redir?resid=A702138E1C4CF8DC!466&authkey=!AGWf2MfxN0UpCMQ&ithint=file%2clog

    Please let me know if you find the cause of this..

    Thank you

    Thursday, May 12, 2016 11:34 AM
  • Anyone able to view the logs to diagnose?
    Saturday, May 14, 2016 1:20 PM
  • You might try removing this: Using from [DEFAULT]: BDEKEYLOCATION = C:\IT

    That being said the log is incomplete. It doesn't show anything past your gather.


    Many questions such as where do I find logs and what logs are interesting are found in: MDT TechNet Forum - FAQ & Getting Started Guide Please take the time to read it.

    Sunday, May 15, 2016 8:54 PM
  • I tried the changes you recommended and I get the same thing.

    What specific log do you need? I can grab them from this failed deployment. Let me know!

    Monday, May 16, 2016 12:23 PM
  • See the FAQ

    Many questions such as where do I find logs and what logs are interesting are found in: MDT TechNet Forum - FAQ & Getting Started Guide Please take the time to read it.

    Tuesday, May 17, 2016 4:50 AM
  • I can't tell what is going on here, need the bdd.log file that includes the ZTIDiskPart, ZTIBDE steps.

    THe error message is kind of weird, it's possible that the WinRE.wim file is *NOT* getting installed to your 4th partition above the "recovery" partition, I would start with the Panther logs (check the MDT FAQ), then open the partition and look for the WIM file, if not there, check the install.wim file for the wim file as well.


    Keith Garner - Principal Consultant [owner] - http://DeploymentLive.com

    Tuesday, May 17, 2016 7:43 PM
  • Hi Keith. Right when I get the Blue Recovery screen I captured the BDD.log which I uploaded here

    https://onedrive.live.com/redir?resid=A702138E1C4CF8DC!466&authkey=!AGWf2MfxN0UpCMQ&ithint=file%2clog

    Is this not complete? The screen occurs right after the OS is applied and the first restart happens...

    Tuesday, May 17, 2016 7:54 PM
  • Have bothered to look at the FAQ?

    Many questions such as where do I find logs and what logs are interesting are found in: MDT TechNet Forum - FAQ & Getting Started Guide Please take the time to read it.

    Tuesday, May 17, 2016 8:54 PM
  • NO, this is not the bdd.log file from right after the Blue Recovery screen. I suspect that you cleaned up from a dirty environment and it cleaned up the log file we actually need.

    Keith Garner - Principal Consultant [owner] - http://DeploymentLive.com

    Tuesday, May 17, 2016 9:49 PM
  • Okay Keith. I got my act together.

    The link will take you to the BDD.log, ztibde.log, ztidiskpart.log, and ztiwinre.log

    https://onedrive.live.com/redir?resid=A702138E1C4CF8DC!467&authkey=!AO67rLlYIln7I-A&ithint=folder%2clog

    Wednesday, May 18, 2016 1:04 PM
  • Yes, I did and got (4) logs for you all to examine.

    https://onedrive.live.com/redir?resid=A702138E1C4CF8DC!467&authkey=!AO67rLlYIln7I-A&ithint=folder%2clog

    Wednesday, May 18, 2016 1:04 PM
  • Sorry, I can't tell what the problem is here.

    There are a couple of moving parts here that may be causing the problems.

    1. Disable Bitlocker, or more specifically the ZTIBDE.wsf script in the Pre-Install phase, it is not enabling any of the Bitlocker Protectors, but it is encrypting the drive. WHy do we see the "recovery" blue screen during boot, I don't know, but removing the bitlocker protectors are the first step.

    2. I asked some questions above about WinRE.wim, which you didn't answer. Please note, that MDT includes a ZTIWinRE.wim step in the Task Sequence ( as see in the bdd.log file), *HOWEVER* this script is horrible broken for Windows 8.1 and Windows 10. Instead WIndows 10 *ITSELF* will copy WinRE.wim to the local mahine. I would verify WiNRE.wim has been copied over.

    3. THe Toshiba you are using is pretty New, it might be possible that it's missing some drivers. Fix the issues above first, and verify you have the right drivers.


    Keith Garner - Principal Consultant [owner] - http://DeploymentLive.com

    Wednesday, May 18, 2016 3:26 PM
  • Looking at your logs the only thing that jumps out at me is you are using LTSB (10240 EnterpriseS). I know during testing there was some issue with downlevel OSes and the default encryption algorithm.  As a work around you could disable the enable bitlocker offline step.  


    Many questions such as where do I find logs and what logs are interesting are found in: MDT TechNet Forum - FAQ & Getting Started Guide Please take the time to read it. Also if you don't post logs your problem won't be easily solved.

    Wednesday, May 18, 2016 3:30 PM
  • Thank you Keith. I uploaded the panther logs

    setupact.log and setuperr.logs on the one drive. Please take a look

    Yes, I have tested the TS by disabling the bitlocker offline step and it images wonderfully. I have verified the drivers with the vendor and I do indeed have the correct drivers. 

    I am using Windows 10 LTSB so dont know if that is an issue. But at the end of the day I wanted to make sure there is something obvious that I am missing...

    Wednesday, May 18, 2016 3:42 PM
  • Thank you Keith. I uploaded the panther logs

    setupact.log and setuperr.logs on the one drive. Please take a look

    Yes, I have tested the TS by disabling the bitlocker offline step and it images wonderfully. I have verified the drivers with the vendor and I do indeed have the correct drivers. 

    I am using Windows 10 LTSB so dont know if that is an issue. But at the end of the day I wanted to make sure there is something obvious that I am missing...

    It is possible that you have the correct drivers but, they don't get installed.  Try using the Total Control (method 3 from this post).

    Many questions such as where do I find logs and what logs are interesting are found in: MDT TechNet Forum - FAQ & Getting Started Guide Please take the time to read it. Also if you don't post logs your problem won't be easily solved.

    Wednesday, May 18, 2016 3:48 PM
  • Since you removed ZTIBDE.wsf and now it works, is great news. Cool.

    If you want to get Bitlocker Preprovisioning working (ZTIBDE.wsf) figure out where WinRE.wim is.


    Keith Garner - Principal Consultant [owner] - http://DeploymentLive.com

    Wednesday, May 18, 2016 3:58 PM
  • I was not able to locate a winre.wim

    I ran this command line: 

    Reagentc /info /target C:\Windows

    It stated that Windows RE Status: DISABLED

    I also checked the bdd.log and I saw that WinRE is not enabled, skip.

    Does this help?

    Wednesday, May 18, 2016 4:16 PM
  • Keith I stumbled across this article. I know it is meant for SCCM but should work for MDT right?

    https://blogs.technet.microsoft.com/system_center_configuration_manager_operating_system_deployment_support_blog/2016/03/30/windows-versions-prior-windows-10-build-1511-fail-to-start-after-setup-windows-and-configuration-manager-step-when-pre-provision-bitlocker-is-used-with-windows-pe-10-0-586-0-1511/

    • Marked as answer by Ty Glander Wednesday, May 18, 2016 8:43 PM
    Wednesday, May 18, 2016 7:36 PM
  • Keith I stumbled across this article. I know it is meant for SCCM but should work for MDT right?

    https://blogs.technet.microsoft.com/system_center_configuration_manager_operating_system_deployment_support_blog/2016/03/30/windows-versions-prior-windows-10-build-1511-fail-to-start-after-setup-windows-and-configuration-manager-step-when-pre-provision-bitlocker-is-used-with-windows-pe-10-0-586-0-1511/

    Considering the the relevant facts of your issue: LTSB with ADK 10586 then this is probably the right solution.  You can either set the registry to a 10240 supported bitlocker OR downgrade to ADK 10240.

    Also thanks I was looking for this article to post here :)


    Many questions such as where do I find logs and what logs are interesting are found in: MDT TechNet Forum - FAQ & Getting Started Guide Please take the time to read it. Also if you don't post logs your problem won't be easily solved.




    Wednesday, May 18, 2016 7:48 PM
  • Bingo!

    Keith Garner - Principal Consultant [owner] - http://DeploymentLive.com

    Wednesday, May 18, 2016 8:26 PM